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MEMORANDUM FOR: Members of the DCI Security Committee 


FROM: Robert W. Gambino 
Chairman 
DCI Security Committee 


SUBJECT: Community-Wide Computer Assisted 
Compartmentation Control System (4C} (U) 


REFERENCE: SECOM-D-345, 26 June 1978;.same Subject 


1. (U) Responses to the Requirements Package were unani- 
mously supportive of the 4C concept, but there were questions 
and reservations about some elements. These are set forth as 
ITEMs, followed by COMMENTs, which have been prepared by the 
4C Requirements Team. 


ITEM A: (U) Paragraph 6.2 of reference describes a system 
which seems based on the assumption that some NFIB members 
will choose not to make all, or most, of their SCI record 
holdings available for retrieval by all other members. Some 
Lar observed that this would greatly reduce the benefits 
of 4C. 


COMMENT: (U) The Requirements Team and most of the partici- 
pating organizations have perceived 4C as an information bank 
which can be used to ascertain whether individuals have been 
authorized accesses to SCI, to identify the Sponsors, to ob- 
tain information concerning background investigations, to 
verify term certifications, etc. It is planned that such in- 
formation will be available within secure Government-controlied 
areas from 4C terminals operated by cleared personnel. Under 
such conditions the information will be protected, and its 
ready availability to people with a need-to-know will reduce 
the telephone calls, cables, memos, and some travel now required 
to perform necessary business. 
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Such benefits will be reduced if parti¢ipating organi- 
zations elect, without sound reasons, to make their records 
inaccessible to other NFIB organizations. 


There are sound reasons, however, for exceptionally 
tight protection of some records. The 4C system must provide 
the option of making a record inaccessible except to the Spon- 
sor and to the Central Facility. Without such option, some 
members might feel obliged to withhold certain records, in 
which case the DCI requirement of a complete data base would 
not be satisfied. 


ITEM B: (C) There are differing opinions concerning the 
proper classification of the 4C data base, and the question 
of whether 4C information should be transmitted and storediin 
compartmented channels. (The draft Requirements Package pro- 
posed that the data be SECRET and not compartmented. The 


.final package, as a result of comment to the draft, stated 


that the 4C data base, and 4C information transmitted or 
stored, must be classified SECRET and handled vialj[channels.} 25X1A 


COMMENT: (C} The BSO CIA, after considering the reply to the 
draft, agreed that the data base as a whole should not be 
available outside of BMM—Ichannels, and that the classification 
of SECRET was appropriate. 


Over the years we have handled a similar data base 
(SPECLE} as SECRET. [Individual records within such data 
bases have been handled as unclassified and uncompartmented, 
and listingsof ail individuals sponsored by some Agencies/ 
Departments have been handled as CONFIDENTIAL, or even un- 


classified, and uncompartmented. 


With existing SCI access approval record-keeping systems 
we have had human intervention at central facilities between 
remote quéries and responses to those remote queries. The 
human intervention has provided protection against releasing 
information to unauthorized individuals or those who have no 
“"need-to-know''. It has protected individuals who are under 
cover. It has permitted us to assign proper classification, 
and to properly channel reports which are transmitted to 
customers, 


It is essential to provide suitable protection against 
unauthorized release of information while maintaining efficiency 
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in processing and eccessing 4C information. The Requirements 
Team concluded that, on balance, optimum results would be ob- 
tained by establishing rigorous security measures (hardware, 
software, personnel, encryption, emanation and physical) for 

the system as a whole. It was assumed that this would encourage 
the input of all SCI access approval records, simplify the 
system's internal security features and encourage members to 
make their records available to other Agencies/Departments 

(see Item A, above). 


The Specifications Team will give additional attention 
to this problem, and will explore various possibilities for 
improving system efficiency while protecting the information. 


ITEM C: (U) Several members question the plan to implement 
Phase 1 of 4C without a positive commitment to proceed to 
Phases 2 and 3, with all remote stations (CONUS and Overseas) 
identified and included in cost estimates. 


COMMENT: (U) With implementation of Phase 1, in order to 
achieve a current data base, it is anticipated that there 

will be increased utilization of cables to expedite the ree 
cording of indoctrinations or debriefings which occur at 
distant points. The degree of success in utilization of cable 
facilities may influence the determination of Phase 2 and 
Phase 3 requirements. 


It is safe to predict that there will be changes in the 
locations of activities, the volumes of recordable actions 
at the various locations, and there will be changes in methods 
and technology which will impact on requirements and costs of 
Phases 2 and 3. 


ITEM DB: (U) Some members, with widely dispersed indoctrina- 
tion/debriefing and certification operations, are dubious about 
their ability to maintain a current 4C data base. 


COMMENT: (U) This Item is closely related to Item C, above. 
The Requirements Team, in questioning the economic feasibi- 
lity of placing on-line interactive terminals at each of the 
many scattered points around the world, has costed a system 
in which there will be some delay between events and the 
recording of those events in 4C. The 4C system was costed 
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for Phase 2 and Phase 3 expansion only to points having a 
relatively high volume of activity. During Phase 1, with 
expanded use of existing cable facilities, there can be great 
improvement in the timeliness of the central data base. 


ITEM E: {UU} Some members have expressed concern about the 
increased work load in developing 4C and in maintaining their 
existing system plus the 4C system after it becomes opera- 
tional. They are dubious about availability of manpower. 


COMMENT: (U) Organizations with large numbers of records and 
existing ADP systems will be expected to provide manpower to 
work with the Specifications Team as required, to assist in 
the conversion of data to 4C specifications, and may need to 
operate parallel systems during an operational test period. 
4C is a major project which will not succeed without manpower 
support from participating organizations. 


Adequate support from each member of the Community is 
essential for the success of 4C. The Requirements Team did 
not attempt to assess the amount of manpower support which 
will be required from each participating organization. 


The Requirements Team did not conduct a Costs/Benefits 
analysis, but did conclude that 4C has the potential to re- 
place some existing ADP systems, and eliminate some redundancies 
in keypunching, computer processing, and storage. Also, with 
4C replacing some existing systems, there will be a consid- 
erable reduction in computer programming in the Community. 
Correction of "“bugs'! or system enhancements in 4C will bene- 
fit all participating organizations, and less work will be 
required to exchange data between systems. 


ITEM F: (UU) Is the CIA paying for all costs, except for 
salaries of employees who will participate in development, 
operation, and maintenance of 4C? 


COMMENT: (C) No. Each participating organization will be 
expected to provide and prepare appropriate space for peri- 
pheral equipment. The space should be ready at the time the 
equipment is scheduled for installation. 


In buildings which are serviced by Tetrahedron, the par- 
ticipating organizationsshotId arrange for installation of 
lines from the Technical Control Facility (in their building) 
to areas where 4C peripheral equipment will be installed. 
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ITEM G: {(C) The assumption that the KG-84 would be available 
in time to meet the cryptographic needs of 4C was questioned. 


COMMENT: (C)} It now appears that the KG-84 will not be avail- 
able within the expected time frame. Consequently, the KG-34 
would have to be used instead of the KG-84. 


ITEM li: (U) Some NFIB members have surfaced possible re- 
quirements for additional terminal equipment and communications 
facilities at locations which were not mentioned during the 
study of requirements. One member advised that a planned | 
centralization of operations would rdduce such requirements. | 
On balance, the responses to SECOM-D-34S have indicated an 
increase in Phase 1 requirements for terminals and communi- 
cations. 


COMMENT: {U) The Requirements Team costed a central facility 
which can service additional remote terminals. If there is 

a decision to implement Phase 1 of 4C with a fixed amount of 
money not sufficient to meet all immediate requirements, it | 
may be necessary to postpone installation of equipment at some | 
remote sites. 


ITEM I: (U) There were questions or comments concerning 
various matters, which were not studied in detail by the 
Requirements Team. Some examples are: {1) the definitions 
of Data Fields, both required and optional; (2Z} the methods 
to be used in updating two systems, when 4C can not replace 
an existing ADP system; (3) the need to maintain an audit 
trail on queries (Privacy Act and security considerations); 
and (4) the use of AUTODIN. 


COMMENT: (U) With the assistance of participating organiza- 
tions, these are questions which will be addressed and resolved 
by the Specifications Team. 


2. (U) Reservations, as described above, will be con- 
sidered when I participate in discussions of 4C funding. 
You will be notified promptly when the decision is made. 


3. (U) Thank you fer your assistance in conducting 
the 4C requirements and costing study. 


obert W. Gambino 
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